On 10 May 2021, the US Federal Bureau of Investigation issued a statement confirming that the DarkSide ransomware network was responsible for an attack that seized operations of Colonial Pipeline. Reports indicate that DarkSide’s ransomware attack breached Colonial’s IT system on 7 May, causing Colonial to shut down pipeline operations.
The Colonial Pipeline is the largest fuel pipeline in the US, carrying more than 100 million gallons along the US East Coast every day and reaching around 50 million Americans. This accounts for 45% of the East Coast's supply, according to Colonial Pipeline.
What is the impact?
The DarkSide attack demonstrates how impactful malicious cyber-attacks can be. This attack also shines a spotlight on the rise in what is known as ransomware franchises, which provide hackers with sophisticated tools that can be used to conduct cyber-attacks. By providing threat actors with hacking tools, ransomware-as-a-service has created a lower barrier to entry for attackers, leading to a rise in attacks.
In the energy sector, owners and operators protect critical infrastructure from a relentless stream of sophisticated threats. A hacker targeting a company in the energy supply chain can expose pressure points that will give rise to massive ripple effects when disrupted, even if this was not the attacker’s intention. Had ransomware successfully breached industrial control systems, the outcome could have been far more devastating and potentially resulted in physical outcomes.
More striking, however, is that when separated from its potential massive impact, the DarkSide pipeline attack was a relatively routine occurrence in today’s business environment. A well-known threat actor, DarkSide provided ransomware-as-a-service to an affiliated network of attackers. And they are not alone.
Ransomware remains a scourge across all industries, including the energy sector, and will persist so long as:
- Networks remain vulnerable from either flaws in code or human error.
- Criminal organisations remain safe-harboured in jurisdictions that promote their efforts.
- Cryptocurrency allows for anonymous payment of the threat actors’ demands.
What can companies do?
While organisations cannot eliminate ransomware as a risk, they can — and should — take steps proactively to prepare for an attack. Consider in advance how you would manage a ransomware attack: before, during, and after.
Below you will find a high-level set of recommendations to help you do so:
- Bring together key stakeholders – risk management; information security, including both the operational and information technology teams; treasury/finance; and legal, among others — to ensure there is alignment in how you would manage an attack.
- Evaluate existing controls and address identified network and security vulnerabilities. The most common ransomware attack vectors in the first quarter of 2021 included remote desktop protocol (RDP) compromise and email phishing. (DarkSide actors, for instance, have been gaining access through phishing, public-facing applications, and external remote services.) As such, implementing appropriate controls can help to thwart an attack — or at least identify one before threat actors can move laterally within your network. For example, early identification can allow you to take operational technology offline once corporate networks are known to have been compromised, but before any industrial control systems are compromised.
- Assess and test your cyber incident response plan, ensuring that it accounts for a ransomware attack. You may want to develop a ransomware “playbook” of activities focused on response to such a threat. If your organisation does not have an incident response plan, or does not spell out ransomware procedures specifically, create one. The plan should be re-evaluated following an incident with real-life lessons learned.
- Measure your organisation’s cyber risk exposure in financial terms. This will help you prioritise the cyber risks presenting the greatest exposure to your balance sheet, and allow you to determine if such risks fall outside of your appetite and/or tolerance for risk. This also enables you to evaluate the return on investment (ROI) of cybersecurity products – as well as how much risk to retain versus transfer.
- Evaluate your entire insurance portfolio, including your cyber insurance coverage, to assess whether the various programmes are aligned. Verify that coverage includes various material costs incurred as a result of a ransomware attack, including an attack that leads to physical damage and/or bodily injury.
You can find step-by-step guidance on preparing for a ransomware attack here.
What does this mean moving forward?
You cannot completely eliminate the risk of ransomware attacks, but you can — and should — plan for them. Preparation is essential, and its importance cannot be overstated. Having a well thought-out plan will enable your organisation to reduce the impact of an attack through appropriate cybersecurity controls and potentially transfer residual risk via cyber insurance. Effective preparation can help you build a cyber-resilient organisation that is well prepared to manage cyber-attacks.